From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative
	paths
Date: Fri, 24 Aug 2018 10:28:37 -0400
Message-ID: <1756482.jLK7dZV42z@x2>
References: <20180802114436.1209-1-omosnace@redhat.com>
	<CAFqZXNuoVTkxE_0zCLFU3uJz4YHmtNVx=D_4POSPLWORs4g6Pg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAFqZXNuoVTkxE_0zCLFU3uJz4YHmtNVx=D_4POSPLWORs4g6Pg@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, Linux-Audit Mailing List <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Friday, August 24, 2018 8:59:10 AM EDT Ondrej Mosnacek wrote:
> On Thu, Aug 2, 2018 at 1:45 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > When a relative path has just a single component and we want to emit a
> > nametype=PARENT record, the current implementation just reports the full
> > CWD path (which is alrady available in the audit context).
> > 
> > This is wrong for three reasons:
> > 1. Wasting log space for redundant data (CWD path is already in the CWD
> > 
> >    record).
> > 
> > 2. Inconsistency with other PATH records (if a relative PARENT directory
> > 
> >    path contains at least one component, only the verbatim relative path
> >    is logged).
> > 
> > 3. In some syscalls (e.g. openat(2)) the relative path may not even be
> > 
> >    relative to the CWD, but to another directory specified as a file
> >    descriptor. In that case the logged path is simply plain wrong.
> > 
> > This patch modifies this behavior to simply report "." in the
> > aforementioned case, which is equivalent to an "empty" directory path
> > and can be concatenated with the actual base directory path (CWD or
> > dirfd from openat(2)-like syscall) once support for its logging is added
> > later. In the meantime, defaulting to CWD as base directory on relative
> > paths (as already done by the userspace tools) will be enough to achieve
> > results equivalent to the current behavior.
> 
> I tested this patch a little bit with the libauparse library (it has
> some functions for normalizing paths extracted from the records) and
> it seems to behave as intended. The userspace functions seem to take a
> rather crude approach and I think they won't always properly normalize
> some paths, but that is a separate issue and this patch at least
> definitely doesn't make it worse.

Be sure to test with directory names that have spaces in them as well as file 
names with spaces in them.

-Steve

> > See: https://github.com/linux-audit/audit-kernel/issues/95
> > 
> > Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change
> > events") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > 
> >  kernel/audit.c | 9 ++++-----
> >  1 file changed, 4 insertions(+), 5 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 2a8058764aa6..4f18bd48eb4b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2127,28 +2127,27 @@ void audit_log_name(struct audit_context
> > *context, struct audit_names *n,> 
> >         audit_log_format(ab, "item=%d", record_num);
> > 
> > +       audit_log_format(ab, " name=");
> > 
> >         if (path)
> > 
> > -               audit_log_d_path(ab, " name=", path);
> > +               audit_log_d_path(ab, NULL, path);
> > 
> >         else if (n->name) {
> >         
> >                 switch (n->name_len) {
> >                 
> >                 case AUDIT_NAME_FULL:
> >                         /* log the full path */
> > 
> > -                       audit_log_format(ab, " name=");
> > 
> >                         audit_log_untrustedstring(ab, n->name->name);
> >                         break;
> >                 
> >                 case 0:
> >                         /* name was specified as a relative path and the
> >                         
> >                          * directory component is the cwd */
> > 
> > -                       audit_log_d_path(ab, " name=", &context->pwd);
> > +                       audit_log_untrustedstring(ab, ".");
> > 
> >                         break;
> >                 
> >                 default:
> >                         /* log the name's directory component */
> > 
> > -                       audit_log_format(ab, " name=");
> > 
> >                         audit_log_n_untrustedstring(ab, n->name->name,
> >                         
> >                                                     n->name_len);
> >                 
> >                 }
> >         
> >         } else
> > 
> > -               audit_log_format(ab, " name=(null)");
> > +               audit_log_format(ab, "(null)");
> > 
> >         if (n->ino != AUDIT_INO_UNSET)
> >         
> >                 audit_log_format(ab, " inode=%lu"
> > 
> > --
> > 2.17.1
> 
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.